marcus•6d ago

"Could not decode token" custom JWT auth

While following the custom auth configuration setup, I ran into this issue where the backend could not decode the access token Here is my auth setup

export default {
  providers: [
    {
      type: 'customJwt',
      applicationID: <same as image shown>,
      issuer: 'privy.io',
      jwks: <correct working jwks endpoint>,
      algorithm: 'ES256'
    }
  ]
}

export default {
  providers: [
    {
      type: 'customJwt',
      applicationID: <same as image shown>,
      issuer: 'privy.io',
      jwks: <correct working jwks endpoint>,
      algorithm: 'ES256'
    }
  ]
}

I have verified that my decoded kid, alg, aud are all correct. I have a suspicision that because the issuer field here is not a HTTPS url, the decoding is not working. Would appreciate some support here

3 Replies

erquhart•6d ago

The Convex backend will prefix it with https://. What is the actual iss claim value in your token? Actually this probably isn't issuer related: https://github.com/get-convex/convex-backend/blob/a805f0b8d9692faf767bfddcc20fb1ab52d45e3a/crates/authentication/src/lib.rs#L288-L293 I'd check jwt.io and confirm that the token and jwks validate

marcusOP•5d ago

The iss is privy.io, so maybe prefixing will cause an issue? Gotcha let me try and run that snippet locally @erquhart I noticed that https://github.com/get-convex/convex-backend/blob/a805f0b8d9692faf767bfddcc20fb1ab52d45e3a/crates/authentication/src/lib.rs#L201-L216 only has RS256 and Ed25519, Is it possible to add CoreJwsSigningAlgorithm::RsaSsaPssSha256?

erquhart•8h ago

For now only RS256 and Ed25519 are supported

"Could not decode token" custom JWT auth

Did you find this page helpful?